Re: [Resin-interest] BEAST SSL Attack
We're getting scanned today. Any hope on this? Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su ite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson Sent: Tuesday, January 08, 2013 7:42 PM To: resin-interest@caucho.com Subject: Re: [Resin-interest] BEAST SSL Attack On 1/5/13 5:14 PM, Keith Fetterman wrote: Hi Scott, We need this too. Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz The configuration is honor-cipher-ordertrue/honor-cipher-order in openssl. -- Scott Thanks, Keith On 1/2/2013 1:36 PM, Scott Ferguson wrote: On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Wednesday, December 05, 2012 10:51 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Wednesday, December 05, 2012 9:02 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives
Re: [Resin-interest] BEAST SSL Attack
On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote: We’re getting scanned today. Any hope on this? I just tested that Resin snapshot - the honor-cipher-order is not in that jar. I think there was a mistake in the SCM checkin or Scott may have built the archive to soon. We'll try to put up a new snapshot today/soon, but I'm not certain it's possible with various other bug fixes in progress. Thanks, Paul Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-suite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
OK, just keep us posted. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Friday, January 18, 2013 10:01 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote: We're getting scanned today. Any hope on this? I just tested that Resin snapshot - the honor-cipher-order is not in that jar. I think there was a mistake in the SCM checkin or Scott may have built the archive to soon. We'll try to put up a new snapshot today/soon, but I'm not certain it's possible with various other bug fixes in progress. Thanks, Paul Thanks, Aaron From: mailto:resin-interest-boun...@caucho.com resin-interest-boun...@caucho.com [mailto:resin- mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: mailto:resin-interest-boun...@caucho.com resin-interest-boun...@caucho.com [mailto:resin- mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su ite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest